The current behavior is to throw an error (NETWORK_ERR: XMLHttpRequest Exception 101) for synchronous requests and set the status to 0 for asynchronous requests.
IE and Fx both correctly set the status to 401 for both synchronous and asynchronous requests.

Confirmed with r23984.
Please note that the current draft of XMLHttpRequest spec just says that "If authentication fails, user agents should prompt the users for credentials." It probably needs to say that the user can be asked for credentials only once, and if that doesn't help, the 401 response is returned.

Fixed on Mac in <http://trac.webkit.org/changeset/63095>. A Windows Safari fix is in closed source code.
The fix was to change what happens when the user cancels authentication sheet. Please file new bugs for other aspects that may be still wrong.